Team A - SetA
K: Contains high-level summary information about changes to files & directories
$UsnJrnl
(Topic: $USnJrnl Provides Change Tracking Service. p. 68)
J: On Windows 10 machine, while ScopeSnapshot is disabled. Are files from %TEMP% folder by default can be recovered via SnapShot and what artifact can we confirm this information?
Yes
(Topic: Evidence of Historical Data. p.9)
Honey is attempting to recover deleted volume shadow snapshots. What is the purpose of the following command?
# cd /mnt/vsscarve_basefile/
# for i in vss*; do mountwin $i /mnt/shadowcarve_basefile/$i; done
Mounting the logical filesystem of each snapshot
(Topic: Carving for Snapshots in the FOR508 SIFT. p 100)
G: This NTFS File System's purpose is to ensure data integrity to the File system. At least 5 components are being tracked by this NTFS file system to ensure that this is accomplished.
$LogFile
(Topic: File System Journaling Overview. p. 65-68)
K: This is a sequence of bytes at the beginning of a file that are unique to each file type
File Signature/magic number
(Topic: File Recovery - Metadata Method vs. Carving Method. p. 94)
When does a file data stored in MFT Record.
If the data is small enough (700 bytes or less)
(Topic: Analyzing $DATA. 49)
What libvshadow command-line tool can expose Volume Shadow Copies as raw disk images for further analysis?
vshadowmount
(Topic: Mount VSS Drive vshadowmount. p. 14)
Honey is an IR analyst and was tasked to check for suspicious file/s. The image shown is the sample output of the log when opened, what file/s should Honey flag based on the logs provided.
List all that applies (incomplete answer will not be accepted). Answer/s should be based on the topics discussed in Book 5.
4B5F7BD8CE21E8F39C916A21529601F4
M: When a file is deleted, which of the following tasks will be performed by NTFS? (Choose all that applies)
a. Parent directory’s index marks the entry as available. This may trigger a rebalancing of the index, which may or may not overwrite the file’s index entry
b. MFT record is marked as available, but is not immediately overwritten. It may exist completely
c. $LogFile is updated to reflect transaction occurred.
d. All of the above
e. None of the above
d. All of the above
(Topic: NTFS: What Happen When a File is Deleted? p. 81)
All valid MFT entries are starting with this signature. What is the value of this signature? If the MFT entry has error what is the signature value?
0x46 0x49 0x4C 0x45 || BAAD
(Topic: Analyzing MFT Entry Header & $STANDARD_INFORMATION. p.37)
What attributes are on $I30
$INDEX_ROOT and $INDEX_ALLOCATION
(Topic: NTFS Directory Attributes. p. 57)
True or False:
In NTFS, Files and Data Stream can only be associated in a 1:1 relationship.
FALSE
(Topic: Analyzing $DATA. p. 49)
M: SDelete renames the file how many times?
26
(Topic: Example of File Wiping with Sdelete. p. 85)
K: What is these 2 NTFS timestamps? And what is this Anti-forensic technique that is commonly associated with these 2 when there's a discrepancies being seen.
$STANDARD_INFORMATION and $FILE_NAME,timestomping
(Topic: Windows Time Rules for $STANDARD_INFORMATION | Windows Time Rules for $FILENAME. p. 44-45)
Darling is new IR analyst, he aims to scope requirements for an enterprise-wide security project to increase visibility on the endpoints. Which configuration change offers the greatest benefit?
a. Enabling endpoint logging and forwarding to a central aggregator
b. Disabling PowerShell logging for cost and performance reasons
c. Ensuring that local storage for logs is minimized
d. Avoiding forwarding logs from endpoints due to data overwhelm
a. Enabling endpoint logging and forwarding to a central aggregator
(Topic: Level Up on Visibility. p. 111)
Honey was tasked to investigate noteworthy changes in directories and files on a critical server.
She was tasked to check the $UsnJrnl and $LogFile that was collected.
Case Details:
Time of incident: 10:55:59 AM
$LogFile collection started around 12 noon and finished around 12:10PM.
$UsnJrnl collection started 1PM due to lunch break and was completed around 1:05PM.
From the concepts in book 5, what log is the most beneficial to Honey and why.
$UsnJrnl
(Topic: File System Journaling Overview. p. 65-68)
M: This file tracks whether clusters are in use or available
$BITMAP
(Topic: Data Types inside an MFT Entry. p.26)
K: Looking for this at the start of a sector is a good way of locating MFT fragments in unallocated space.
FILE
(Topic: Analyzing MFT Entry Header & $STANDARD_INFORMATION. p. 37)
W: Baby is analyzing a disk image for an IR case. During the analysis, she noticed that there are two $DATA attributes for one of the suspicious file. What could possibly the reason why she is seeing this?
Files can have multiple $DATA streams, one is for the file data and the other is for ADS
(Topic: Analyzing $DATA. p.49)
What are the two primary ways to recover whole deleted files on a Windows volume discussed in Book 5?
Metadata method and carving method
(Topic: File Recovery - Metadata Method vs. Carving Method. p. 94)